CM/CMTS Interaction

Module 4

Revision 2.0 – Last Update October 2003

MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other
product or service names are the property of their respective owners. © Motorola, Inc. 2003.
 Module 4, Page 2

Introduction

Introduction In the last module, we looked at the CMTS

configurations necessary to provide data
services. We will now look at cable
modem/CMTS interactions. Specifically, we
will examine the ranging and registration
process.

Importance We need to baseline expected performance

before we can isolate issues (the first step in
troubleshooting) on the CMTS.

Lesson Overview We will look at a sample configuration, ranging

and registration.
 Module 4, Page 3

Objectives

Objectives Upon successful completion of this module, you will

be able to perform the following tasks:
Describe the DOCSIS-specified ranging and
registration process
 List the necessary OSS services required
Successfully range and register a cable modem on
the BSR64000
 Be able to use the CLI tools to isolate break-points
» Troubleshoot registration problems
 Module 4, Page 4

CMTS/CM Interaction

Tuning
 Scan for downstream channel and sync with the
CMTS
Ranging  Obtain the transmit parameters (from UCD message)
 Perform ranging
 Establish IP connectivity
Connection
 Establish time of day
 Transfer operational parameters
Configuration  Perform registration

Registration

Maintenance
 Module 4, Page 5

Viewing Ranging and Registration

 Show cable modem command

 From the Privileged EXEC mode
show cable modem [<mac> | <i.p. address> hosts]
• Can specify detail | offline | registered | unregistered | summary as
arguments

MOT> en
MOT# sh cable modem
cm->mac: 0030.ebff.033
Interface Upstream Prim Connect Timing Rec Ip Address Mac Address
IfIndex Sid State Offset Power
Cable 0/0 4 1 online(pk) 1239 109 10.200.220.2 0030.ebff.f03
cm->mac: 0050.f112.2563
Cable 0/0 4 2 online(pt) 1228 116 10.200.220.3 0050.f112.2563
Total cable modems reg: 2
Total cable modems other state: 0
 Module 4, Page 6

Cable Modem Tuning

Tuning

Ranging

Connection
CM Listens
for CMTS
Configuration downstream
transmission
Registration CM searches for a downstream data channel
Synchronize with QAM
Maintenance Synchronize with FEC and MPEG
 Module 4, Page 7

Sample Downstream Tuning

Analog Digital TV
5 @ 1 sec 2 sec DOCSIS
7 8 9 10 11 44 101 108

STD/IRC Channels >6-134

HRC Channels >6-134

MOT# show cable modem

Total cable modems reg: 0
Total cable modems other state: 0
 Module 4, Page 8

Monitor for SYNC Messages

Tuning

Ranging SYNC

Connection

Configuration

Periodically transmitted by CMTS

Registration
SYNC message contains time stamp that exactly
identifies when the CMTS transmitted the SYNC
Maintenance CM to synchronize its time-based reference clock
so that its transmission on the upstream will fall
into the correct mini-slots
 Module 4, Page 9

Obtain Upstream Parameters

Tuning

Ranging UCD

Connection

Configuration

Monitor for UCD message

Registration  Periodically transmitted by CMTS
 UCDs define characteristics of the upstream channel:
» mini-slot size
Maintenance » upstream channel ID
» downstream channel ID
» burst descriptor
 Module 4, Page 10

Upstream Channel Descriptors

 UCDs
 One set per upstream channel
 Describe general upstream channel characteristics:
» Center frequency
» Channel width
» Mini-slot size
» Upstream channel ID
» Downstream channel ID
» Burst descriptor
• Describes each burst type:
– Initial maintenance
– Request
– Request/data
– Periodic maintenance
– Short data
– Long data
 Defined at CMTS in form of Modulation Profiles
 Module 4, Page 11

Modulation Profiles

 Viewing Modulation Profiles

 From the Privileged EXEC mode
show cable modulation-profile [<1-16>]

MOT> en
MOT# sh cable modulation-profile 1
Profile 1
Intvl FEC FEC Burst Guard MOD Scrambl Scrambl Diff Preambl Last
usage err len len time type seed encode length code-
code corre mod word
reque 0 16 2 8 qpsk scrambl 0x152 no-dif 64 fixed
initi 5 34 0 48 qpsk scrambl 0x152 no-dif 128 fixed
stati 5 34 0 48 qpsk scrambl 0x152 no-dif 128 fixed
short 5 78 8 8 16qam scrambl 0x152 no-dif 144 short
long 10 235 0 8 16qam scrambl 0x152 no-dif 160 short
 Module 4, Page 12

Downstream Transmission Format

MPEG Packet Format

MPEG Header pointer_field DOCSIS Payload

4 bytes 0-1 byte 183-184 bytes

MPEG Framing for Large DOCSIS MAC Frame

MPEG Header pointer_field stuff_bytes DOCSIS MAC Frame #1

4 bytes 1 byte 0 or more up to 183 bytes

MPEG Header Cont. of Frame #1

4 bytes 184 bytes

MPEG Header pointer_field Tail of Frame #1 stuff Frame #2

4 bytes 1 byte n bytes bytes m bytes
 Module 4, Page 13

DOCSIS MAC

 Minislot =power of two (4,8…,32) multiple of 25 ms (max=800ms)

 4 ticks/minislot, 64 symbols per minislot in 3.2 MHz channel
» 32 bytes/minislot in 16 QAM
» 16 Bytes/minislot in QPSK
 MAP must:
 be bounded by a limit of 240 information elements (each IE = 4 bytes)
 not describe more than 4096 minislots into the future, (25.6 ms,
51.2ms…,3.276s)
 Not more than 255 minislots per CM per MAP
 Concatenation of multiple upstream packet is allowed for higher
bandwidth efficiency
 Service Flow ID (SFID) and service ID (SID)
 Identification and Class of Service Management, support data flows,
mapping to CMTS-NSI QoS
 Module 4, Page 14

MAPs

 The upstream time is allocated to modems in the MAP message

 MAP is variable length, typically 5-15 ms
 CMTS sends separate MAP messages for each upstream channel
 Set of all MAPs for a channel covers all minislots
 For each BW grant, contains:
 SID
 Burst type
 Grant length
 MAP contains US Channel ID and configuration count
 Allows dynamic UCD changes
 Module 4, Page 15

MAPs (cont.)

 Received from the CMTS on the Downstream channel

 The MAP MAC message describes the permitted use of the
upstream channel

MAP MAP

2nd Upstream Channel

Maint. Maint.

Maintenance Maintenance Maintenance

Request/ Reserved Request/ Reserved

Contention Slots Contention Slots
Slots Slots
 Module 4, Page 16

Upstream and Downstream TDM

 Allocation Maps periodically broadcast on a downstream channel

 Contention Slots (CSs) for CMs sending requests
» CSs are subject to competition/contention
 Data Slots (DSs) for data frames of individual CMs
» DSs are dedicated to individual CMs
 ACK, Maintenance messages

D/S
S S S
U U
Y Y Y
C MAP C MAP
N N N
D D
C C C

2nd Upstream Channel

Maint. Maint.

U/S Pr.1 Pr.2 Pr.3Pr.4

Maintenance Maintenance Maintenance

Request/ Reserved Request/ Reserved

Contention Slots Contention Slots
Slots Slots
 Upstream channels divided into stream of mini-slots
 Module 4, Page 17

Upstream Burst Transmission

PMD DOCSIS PMD

Overhead Payload Overhead

MiniSlot
MiniSlot Boundary
Integer Number
Boundary of of next
of Minislots
previous Burst Burst
Preamble
Preamble Zero-Fill Guard
FEC Parity Band
0-1024bits if
18-255 Bytes
(0-128Bytes) necessary
Ramp-Up Ramp-Down

MAC Header 6 Bytes Data PDU 18-1518

Variable Packet Length + EHDR Bytes

Header
Extended MAC User Data
FC MAC_Par Length Check Seq. Destination Source Length CRC
Header (EHDR) 0-1500 Bytes
1 Byte 1 Byte 2 Bytes (HCS) 6 Bytes 6 Bytes 2 Bytes 4 Bytes
0-240 Bytes
2 Bytes
 Module 4, Page 18

Upstream MAC Operation

 Each CM scans the map for available slots

 Send request in a contention slot in a contention mode
» Contention resolution algorithm is similar to Ethernet
• Binary exponential back off mechanism

 Sends data frames in dedicated DS

 Piggybacking
» A request carried in the extended header of the next outgoing data
frame
» Bypassing the request contention process
 Scheduling requests at CMTS vendor-specific
CSs and DSs ACKs and Pending
Interval n
Interval 1

Interval 2

Null IE

ACK n
ACK 1

… …
 Module 4, Page 19

Delivery of an Upstream Frame

Map1 Map2

Initial Initial
Maintenance Maintenance

Request/ Reserved Reserved Request/ Reserved Request/ Reserved

Contention Slots Slots Contention Slots Contention Slots

t1 t3 Slots
t5 t6 t7
Slots Slots
t9 t11

Common

e
CMTS ues
t

m
Map 1

Map 2

Fra
Timing
Req

a
Reference

Dat
CM t2 t4 t8 t10

Upstream Frame Delay

 A CM sends a request in a contention slot of 1st Map

 Assuming no contention
 If Data Granted in 2nd Map
 CM sends a data frame in granted DS’s of 2nd Map
 Module 4, Page 20

Issues in Upstream Scheduling

 Map frequency/depth
 Faster - less frame delay/lower efficiency
 Slower - longer frame delay/more efficient
 Slot Ratio - CSs to DSs in a map
 Only one request outstanding per Service ID
 More CSs - less contention, potential waste of bandwidth
 Fewer CSs - longer request access delay, waste of DSs
 Ideal Case where number of CSs serves number of requests
» Estimate the number of requests during a map interval
 Mini-slot placement
minislots
Maintenance Maintenance Maintenance

Request/ Reserved Request/ Reserved

Contention Slots Contention Slots
Slots Slots

map
 Module 4, Page 21

Map Frequency

 Map frequency affects mean scheduling delay D and channel

utilization 
 Upstream Frame Delay = contention delay + scheduling Delay
 Contention Delay
» Request contention and backoff
 Scheduling Delay
» Scheduling requests at CMTS
 Module 4, Page 22

Scheduling Delay and Utilization

Approximation Example

 CMTS immediately schedules a map after receiving a request

L
DC
Bup
 D is the Delay
 C is the sum of all system constants
 Bup is the upstream channel bandwidth
 Assuming that all frames have the same size L
C = 0.3 ms 1 1
up    0.285
L = 300 bytes Bup 25000
Bup= 2.5 Mbps
 C  1  .3  1
L 300
 With maximum MTU
1 1
C = 0.3 ms up    0.667
Bup 25000
L = 1500 bytes C 1  .3  1
Bup= 2.5 Mbps L 1500
 Module 4, Page 23

Downstream Signal Profile

 Upstream Bandwidth Allocation Map (MAP) includes:

 Initial Maintenance Interval (broadcast interval) with start and end of
connection opportunity
 Module 4, Page 24

Ranging

Tuning

Adjusts for location in cable plant

Ranging Power levels
Timing Offset
Connection Frequency Offset
CM uses Ranging Request (RNG-REQ)
message
Configuration
Assumes SID of 0

Registration

Maintenance
 Module 4, Page 25

Range Request Format

 Module 4, Page 26

Range Response Format

 Module 4, Page 27

Auto Adjustments

Tuning

CMTS receives initial Ranging Request from

Ranging CM
CMTS responds with unicast Ranging
Response (RNG-RSP)
Connection
 Assigns a temporary SID and allocates
bandwidth to this SID
 Adjust power level, timing offset, and
Configuration frequency adjustment
 Sets downstream and upstream channels
Registration  CMTS begins Admission Control

Maintenance
 Module 4, Page 28

Admission Control

Tuning
RNG-REQ
Ranging
RNG-RSP
Connection

Configuration

CMTS allocates a Temporary SID

Registration Adds CM to Forwarding Tables
CMTS sends MAP with Station Maintenance
opportunity for that SID
Maintenance CM ranges with new settings
CMTS sends RNG-RSP
Indicates success or failure of Admission
 Module 4, Page 29

Collisions

 Initial Ranging a shared opportunity

 Possibility of collisions
 Binary exponential backoff algorithm for when cms collide
» CMTS will give them a backoff start and end time to wait until they
try again
• specified in the MAPS for their upstream channels
• Ensures that CMs that collide during initial ranging are randomized enough in
their wait times before they try initial ranging again
– Less of a chance of them colliding again
 Module 4, Page 30

Tuning & Initial Ranging Summary

UCD
SYNC
MAP
Rng-Req
Rng-Rsp

MOT#
MOT#show
MOT# showcable
show cablemodem
cable modem
modem
cm->mac:
cm->mac:
Total
Total cable 0030.ebff.033
0030.ebff.033
cable modems
modems reg:
reg: 00
Interface
Interface
Total
Total cable Upstream
cable modems
modems otherPrim
Upstream
other state:Connect
Prim
state: Connect
00 Timing
Timing Rec
Rec Ip
Ip Address
Address Mac
Mac Address
Address
IfIndex
IfIndex Sid
Sid State
State Offset
Offset Power
Power
Cable
Cable 0/0
0/0 44 11 init(r1)1239
ranging 1239 109 0.0.0.0
109 0.0.0.00030.ebff.f03
0030.ebff.f03
Total
Total cable
cable modems
modems reg:
reg: 00
Total
Total cable
cable modems
modems other
other state:
state: 11
 Module 4, Page 31

Using Debugging for

Troubleshooting Ranging
 From the Privileged EXEC mode
debug cable x/y <options including range and register>
 Asynchronously indicates receipt of
» RNG-REQ
» REG-REQ
 Sending of
» RNG-RSP
» REG-RSP
no debug cable x/y <options including range and register>
 Stops ranging/registration debug
MOT> en
MOT# debug cable 3/0 range
Cable range debugging is turned on for slot 3
[01/07-07:46:43- 03:CMTSMAC]-D-0x011648b9 CMAC: Received RNG-REQ From 0004.bdcd.29ba

…
 Module 4, Page 32

Timing Offset

m o v e to z e r o d is ta n c e fr o m C M T S D u r in g
R a n g in g
m o v e to z e r o d is ta n c e fr o m C M T S
R a n g in g
R e g io n
C M 1 a s s ig n e d C M 2 a s s ig n e d
C lo s e s t F a rth e s t
tim e o ffs e t t1 tim e o ffs e t t2
CM CM
fro m C M T S fro m C M T S
 CMs range by transmitting at a known time in an initial ranging region
 Region is wide enough for closest & farthest CMs to range
 CMTS measures the difference from the expected time
 CMTS sends the CM an offset to normalize the CM to zero distance from
the CMTS
 Module 4, Page 33

Power Offset

Downstream
29-8 20-4 14-8 11-8

Upstream

 Higher Lower 
Due to attenuation
 Module 4, Page 34

IP Connectivity

 After the modem has successfully

Tuning
ranged it must register with the CMTS
for network connectivity
Ranging  DHCP is used to provide for the
following:
 IP address
Connection  Lease time
 Gateway address
 File server and file name
Configuration
 Time of day server and offset

Registration

Maintenance
 Module 4, Page 35

IP Address Allocation with DHCP

 Client-side view of IP address allocation process

Initialization

Selection Rebinding

Request Renewing

Binding
 Module 4, Page 36

Sample Network Architecture

Regional Head
Headend
End

Regional
WAN/MAN
Distribution Hub
LocalHeadend

10/100
Ethernet
OC-3/OC12 POS

DOCSIS 1.0/1.1 HFC Networks

DHCP LDAP
Server Server

Web VOD/AOD
Video
Cache Server

LocalHeadend
Distribution Hub
= Legacy CMTS

= First-Generation DOCSIS CMTS

 Module 4, Page 37

Sample Network Architectural

Overview Detail
Layer 3
Network
WAN Scopes

Layer 3
Network
DHCP Server Policies/
Options

CM Cfg File
Switch ToD Server

Layer 3
Network CM Cfg File
(host
functions
only) TFTP Server
Layer 3 CM Cfg File
Network

Layer 2
Network

DHCP on a network that is directly

connected to the BSR64000
 Module 4, Page 38

Sample Network Architectural

Overview Detail (cont.)

Scopes

Layer 3
Network
DHCP Server Policies/
Options

WAN
CM Cfg File
ToD Server

Switch
Layer 3
Network CM Cfg File
(host
functions
only) TFTP Server
Layer 3 CM Cfg File
Network

Layer 2
Network

DHCP on a network that is not

directly connected to the BSR64000
 Module 4, Page 39

Debugging DHCP

 Debugging DHCP/TFTP-Related Behaviors

 From the Privileged EXEC mode
debug ip udp [dhcp]
• Allows for watching source/destination of DHCP/UDP messages
– Output to console triggered by receipt of message on port 67 or 68 (DHCP)
no debug ip udp [dhcp]
» Stops ip udp (dhcp) debug
undebug all
» Stops all debug

MOT> en
MOT# debug ip udp dhcp
UDP DHCP Debugging is turned on
…
 Module 4, Page 40

Initialization – Simple Network

 Initialization
 DHCPDISCOVER Message sent as broadcast
» Contains MAC and hostname
 BSR64000 inserts CMTS r/f interface IP address in DHCP GIADDR field
 Reframed and sent unicast to cable helper specified address
(2)
Inserts CMTS IP address in GIADDR field
CMTS reframes DHCPDISCOVER
as unicast to cable helper
BootP UDP port 67 Scopes

Switch
(1) DHCP Server Policies/
DHCPDISCOVER Options
Broadcast MAC address
To 255.255.255.255 to
BootP UDP port 67
MOT# show cable modem
Interface Upstream Prim Connect Timing Rec Ip Address Mac Address
IfIndex Sid State Offset Power
Cable 0/0 4 1 dhcp(d) 1239 109 0.0.0.0 0030.ebff.f03
…
 Module 4, Page 41

Configuring Cable Helper

 Configure Helper Parameters

 Cable Helper Address
» Tells BSR64000 where to forward DHCP Client Messages
» Best Practice to use this on cable interfaces
 From the Interface Configuration EXEC mode
[no] cable helper-address <ip address> [cable modem | host]

MOT> en
MOT# config
MOT(config)# int cable 5/0
MOT(config-if)# cable helper-address 192.168.100.100 cable modem
MOT(config-if)# cable helper-address 192.168.101.100 host
 Module 4, Page 42

Configuring IP Helper

 Configure Helper Parameters

 IP Helper Address
» Tells BSR64000 where to forward broadcasts received on configured
interface
» Forwards: Trivial File Transfer Protocol (TFTP) (port 69), Domain Naming
System (port 53), Time service (port 37), NetBIOS Name Server (port 137),
NetBIOS Datagram Server (port 138), Boot Protocol (BOOTP) client and
server datagrams (ports 67 and 68)
» Best Practice to use on all interfaces other than cable
• Except to provide more (redundant) DHCP servers for CMTS interfaces
– Should be used with ip forward protocol command to limit to DHCP only
 From the Interface Configuration EXEC mode
[no] ip helper-address <ip address>

MOT> en
MOT# config
MOT(config)# int cable 5/0
MOT(config-if)# ip helper-address 192.168.100.100
 Module 4, Page 43

IP Forward Protocol

 From the Global Configuration EXEC mode

[no] ip forward-protocol udp [<0-65535> | bootpc | bootps | domain | netbois-
dgm | netbios-ns | tacacs | tftp | time]
» Remove all protocols other than bootpc and bootps

MOT(config)# ip forward-protocol udp ?

<0-65535> Port number
bootpc Bootstrap Protocol (BOOTP) client (68)
bootps Bootstrap Protocol (BOOTP) server (67)
domain Domain Name Service (DNS, 53)
netbios-dgm NetBios datagram service (138)
netbios-ns NetBios name service (137)
tacacs TAC Access Control System (49)
tftp Trivial File Transfer Protocol (69)
time Time (37)
<cr>
MOT(config)# no ip forward-protocol udp domain
 Module 4, Page 44

Initialization – Complex Network

 If DHCP Server not on network directly connected to BSR64000

 ip dhcp relay information option should be set
 BSR64000 inserts CMTS IP address in DHCP GIADDR field
» Sets DHCP option-82
(3)
Forwarded like any other unicast traffic on BootP UDP port 67
GIADDR field left untouched by all routers
Scopes
in path

Switch
WAN
(2) DHCP Server
CMTS reframes DHCPDISCOVER as unicast
Policies/
to cable helper cable modem
Options
BootP UDP port 67

(1)
DHCPDISCOVER MOT# show cable modem
Broadcast MAC address Interface Upstream Prim Connect Timing Rec Ip Address Mac Address
To 255.255.255.255 to IfIndex Sid State Offset Power
BootP UDP port 67
Cable 0/0 4 1 dhcp(d) 1239 109 0.0.0.0 0030.ebff.f03
…
 Module 4, Page 45

DHCP Relay Agents

 Relay Agents
 Routers between CMTS and DHCP server
» By design, insert receiving interface network in GIADDR field
[no] ip dhcp relay information option
» Tells relay agents to not alter GIADDR inserted by CMTS

MOT> en
MOT# config
MOT(config)# int cable 5/0
MOT(config-if)# ip dhcp relay information option
 Module 4, Page 46

Selection

 Selection
 DHCPOFFER (1)
DHCPOFFER
 Sent Broadcast Server MAC and IP address
Lease with IP address,
 Server MAC and IP Subnet mask and duration
 Client IP and Subnet mask Sent to GIADDR

 Lease duration
Scopes

Switch
DHCP Server Policies/
(2) Options
CMTS forwards offer to CM
Creates entry mapping SID
to MAC to IP Address in
memory (DHCP Snooping)

MOT# show cable modem

Interface Upstream Prim Connect Timing Rec Ip Address Mac Address
IfIndex Sid State Offset Power
Cable 0/0 4 1 dhcp(o) 1239 109 192.168.5.5 0030.ebff.f03
…
 Module 4, Page 47

Request

 Request
 DHCPREQUEST
 Sent unicast to server IP address
 Requests options
» Configuration file, etc.

Scopes

Switch
DHCP Server Policies/
Options
(1)
DHCPREQUEST
Server IP address
Request for options
MOT# show cable modem
Interface Upstream Prim Connect Timing Rec Ip Address Mac Address
IfIndex Sid State Offset Power
Cable 0/0 4 1 dhcp(r) 1239 109 192.168.5.5 0030.ebff.f03
…
 Module 4, Page 48

Requested Information

 The following parameters will be requested by the Cable Modem

(CM) from the DHCP server
 IP address of the CM
 IP address of the TFTP Server (for DOCSIS Configuration file)
 IP address of the DHCP Relay Agent (if the DCHP server resides on a
different network than the CM)
 TFTP/DOCSIS Configuration file name
 Subnet Mask to be used by the CM
 Time offset of the CM from Universal Coordinated Time (UTC)
 Default IP Gateway
 Time of Day Server IP address
 SYSLOG Server IP address
 Module 4, Page 49

Binding

 Binding
 DHCPACK
 DHCP lease information sent (1)
 Requested options sent DHCPACK
Lease information
Options requested

Scopes

Switch
DHCP Server Policies/
Options

MOT# show cable modem

Interface Upstream Prim Connect Timing Rec Ip Address Mac Address
IfIndex Sid State Offset Power
Cable 0/0 4 1 dhcp(a) 1239 109 192.168.5.5 0030.ebff.f03
…
 Module 4, Page 50

DHCP Summary
DHCP Server
Tuning
Offer Response
Ranging

Connection
CMTS

Configuration

Discover Request IP Address

Registration
Gateway
TFTP Server
Maintenance CM
ToD Server
Config File Name
 Module 4, Page 51

Time-of-Day

Tuning
ToD-REQ
Ranging
ToD-RSP
Connection
ToD-RSP
LAN/WAN
Configuration
ToD-REQ
ToD Server
 Internet Time Protocol (ITP)
Registration  RFC 868
 UDP and TCP requests on port 37
Maintenance  32-bit value defining the number of
seconds since 00:00 (midnight January
1, 1900 GMT)
 Module 4, Page 52

Configuration

Tuning

TFTP-REQ
Ranging
TFTP-RSP
TFTP-ACK
Connection TFTP-ACK
TFTP-RSP
Configuration LAN/WAN

TFTP-REQ TFTP Server

 After the modem has acquired an IP address, it must
Registration be given some basic configuration information
 The configuration file name and location provided
during the DHCP process
Maintenance  Server address is specified in the option 66 field of the
DHCP response
 Bootfile name is specified in the option 67 field
 Module 4, Page 53

Cable Modem Configuration Files

 The following settings MUST be included in the configuration file:

 Network Access Configuration Setting
 Class of Service Configuration Setting

 The following settings are optional:

 Downstream Frequency
 Upstream Channel ID
 Vendor ID
 Baseline Privacy
 Software Upgrade filename
 SNMP Write-Access Control
 SNMP MIB Object
 Software Server IP Address
 CPE Ethernet MAC Address
 Maximum Number of CPE’s (32 Max)
 SNMP IP Address (if applicable)
 Telephone Settings (if applicable)
 Vendor-Specific Configuration (if applicable)
 Module 4, Page 54

Protection From Theft of Service –

Cable Modem Uncapping
 Necessary to keep hackers from obtaining cable modem
configuration file
 With this file, they could uncap their cable modems
» Raise guaranteed bandwidth
 This is prevented by implementing Access Lists
 Module 4, Page 55

What are Access Lists?

 Standard
 Checks source address
 Generally permits or denies
C4/0 Outgoing entire protocol suite
Packet
 Extended
Incoming  Checks source and destination
Packet E3/0 address
 Generally permits or denies
specific protocols
 Inbound or
Outbound
Access List Processes
Source
Permit?
 Module 4, Page 56

Access List Applications

Transmission of Packets on an Interface

Telnet Access

 Permit or deny packets moving through the router

» Through specific interfaces
 Permit or deny telnet access to or from the router
» Without access lists, all packets could be transmitted onto all parts of
your network
» We can use access lists to block traffic from CPEs to OSS network
» Keep users away from TFTP server (CM Cfg File)
 Module 4, Page 57

Outbound Access Lists

Packet
Choose E 4/0
Interface
Y
Inbound Outbound
Test
Interface Routing Interfaces
Access List
Table
Statements E 5/0
Packets
Entry
? Packet
Access N
N
List Y
Permit
?
Y ?
N
Discard Packet

• If no access list statement matches, then discard the packet.

Packet Discard Bucket • Notify Sender
 Module 4, Page 58

Testing Packets with Standard

Access Lists

Packet Segment
Frame
(IP Header) (for Example, Data
Header
TCP Header)

Source
Address Use
Access
List Statements
1-99
Deny Permit
 Module 4, Page 59

A List of Tests: Deny or Permit

Match
First
Packets to Interface(s) Test
in the Access Group Y ? Y
N

Deny Permit
Match
Y Y
Deny Next Permit
Test(s) Destination
?
N
Interface(s)

Y Match Y
Deny Last Permit
Test
?
N Implicit
Deny
Packet
Discard If No Match,
Deny
Bucket Deny All
 Module 4, Page 60

Standard IP Access List

Configuration
 Create access-list
– Global Configuration EXEC
– Test criteria
– Permit or deny
access-list <access-list number> [permit | deny] <source> <mask>

MOT (config)# access-list 1 deny 172.16.4.0 0.0.0.255

MOT (config)# access-list 1 permit any any

 Assign access-lists to interfaces

– Interface EXEC
ip access-group <access-list number> [in | out]

MOT (config-if)# ip access-group 1 out

 Standard Access Lists are numbered 1-99

 Module 4, Page 61

Standard IP Access List Example

WAN Scopes

E 2/0
DHCP Server (cm) Policies/
Options

E 1/0 E 4/0
172.16.3.1
255.255.255.0 CM Cfg File
DHCP Server (cpe) ToD Server

Switch
172.16.4.1 255.255.255.0
201.55.4.1 255.255.255.0 secondary CM Cfg File

172.16.4.2 255.255.255.0 TFTP Server

(Implicit deny any)
CM Cfg File

201.55.4.2 255.255.255.0 MOT (config)# access-list 1 permit 172.16.4.0 0.0.0.255

MOT (config)# interface eth 4/0
MOT (config-if)# ip access-group 1 out
 Module 4, Page 62

Standard vs. Extended Access Lists

 Standard
 Filters based on source
 Permits or denies entire TCP/IP protocol suite
 Valid range is 1 through 99
 Extended
 Filters based on source and destination
 Specifies a specific IP protocol and port number
 Valid range is 100 through 199
 Module 4, Page 63

Testing Packets with Extended

Access Lists

Frame Packet Segment

Header (IP Header) (for Example, Data
TCP Header)

Port
Number

Protocol
Source Use
Address Access
Destination List Statements
Address 1-99 or 100-199 to
Test the
Deny Packet Permit
 Module 4, Page 64

Extended IP Access List

Configuration

 Create access-list
– Global Configuration EXEC
– Test criteria
– Permit or deny
access-list <access-list number> [permit | deny] protocol <source> <mask> <destination> <mask> <port>

MOT (config)# access-list 101 deny udp 172.16.4.0 0.0.0.255 172.16.3.0

0.0.0.255 eq 69
MOT (config)# access-list 1 permit any any

…
 Assign access-lists to interfaces
– Interface EXEC
ip access-group <access-list number> [in | out]

MOT (config-if)# ip access-group 101 out

…
 Extended Access Lists are numbered 100-199
 Module 4, Page 65

Extended IP Access List Example

WAN Scopes

E 2/0
DHCP Server
DHCP (cm)
Server Policies/
Options

E 4/0

172.16.3.1 CM Cfg File

255.255.255.0 ToD Server

Switch
172.16.4.1 255.255.255.0
201.55.4.1 255.255.255.0 secondary CM Cfg File

172.16.4.2 255.255.255.0 TFTP Server

CM Cfg File
MOT (config)# access-list 101 deny udp
201.55.4.2 255.255.255.0 201.55.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 69
MOT (config)# access-list 101 permit any any
MOT (config)# interface eth 4/0
MOT (config-if)# ip access-group 1 out
 Module 4, Page 66

Verifying Access Lists

 Check what access lists applied to an interface

 Ingoing and outgoing
show ip interface <interface-type> <interface-identifier>

mot#show ip int e 4/0

ethernet 4/0 is up, line protocol is up
Internet address is 192.168.120.1/24
Broadcast address is 255.255.255.255
MTU 1500 bytes
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 101
Outgoing qos list is not set
Policy routing is disabled
Proxy ARP is disabled
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are always sent
…
 Module 4, Page 67

Examining Access Lists

 From Privileged EXEC

show ip access-list <access-list number>
show access-lists <access-list number>

mot#show access-lists
mot#show ip access-lists

Extended IP access list 101

deny icmp host 192.168.120.2 host 200.20.20.1 echo
permit ip any any
…
 Module 4, Page 68

Examining Access Lists (cont.)

 From Privileged EXEC

show ip filters

mot#sh ip filters
AP = Access List Permit, AD = Access List Deny, II = Ip Ingress,
TE = Ip Tunnel Egress, TL = Ip Tunnel Loopback, IR = ICMP Redirect,
IU = ICMP Unreachable, TN = Ip Tunnel, PP = Policy Route Permit,
PD = Policy Route Deny, QS = Qos, SM = Send To Srm
Dest Ip Address Src Ip Address Pro SP DP DS In If Out If FT
QId
--------------- --------------- --- ----- ----- -- --------- --------- --
---
200.20.20.1 192.168.120.2 icm - - 0 eth 4/0 - - SM -
any any ip - - 0 eth 4/0 - - AP -
any any ip - - 0 eth 4/0 - - AD -
…
 Module 4, Page 69

Examining Access List Usage

 From Privileged EXEC

show ip traffic

mot# show ip traffic

…
IP statistics:
Rcvd: 3611 total, 2634 local destination
0 format errors, 0 checksum errors, 0 bad hop count
0 unknown protocol, 0 not a gateway
0 security failures, 0 bad options, 0 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 streamID, 0 strict source route, 0 alert, 0 cipso
0 policy-based routing forward, 0 other
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
0 fragmented, 0 couldn't fragment
Bcast: 2 received, 0 sent
Mcast: 2363 control pkt received, 1602 control pkt sent
0 datat pkt received, 0 data pkt sent
Sent: 3285 generated, 113 forwarded
Drop: 0 encapsulation failed, 0 unresolved, 0 no adjacency
0 Mcast In Drop, 0 Mcast Out Drop
0 no route, 0 unicast RPF, 0 forced drop
5 acces-list inbound, 0 access-list outbound
0 policy-based routing drop
…
 Module 4, Page 70

Host Authorization Overview

 Provides CPE IP address security by implementing an authorized ARP

cache on a per CMTS basis
 Binds CPEs to a particular cable modem MAC address and PSID and
stores entries in the host authorization table on every CMTS
 Host authorization table is populated by gleaning DHCP packet
information or by operator configured entries via the CLI or SNMP
 Implements similar functionality to the Cisco uBR’s “cable source-
verify” feature
 Module 4, Page 71

Host Authorization Key Features

 Prevents IP address spoofing and ARP cache poisoning

 Uses a CAM operation on the CMTS FPGA for fast performance in the
upstream and downstream data paths
 As of release 2.2.1 up to 252 IP addresses can be authorized to the
same MAC address
 The “cable host auth range” command allows up to 16 ranges of IP
addresses to be excluded from host authorization; Note that operator
configured entries always override entries in the range
 Operator configured CLI and SNMP entries are persistent across a
system reload as of release 1.3.1
 Module 4, Page 72

Host Authorization Forwarding

Operation

 A CAM search of the ARP caches is performed on the source IP

address of every non-DHCP packet from a CPE
 Based on the result of the search there are three possibilities:
 ARP entry is not found; packet is dropped and a downstream ARP is
sent for the source IP address and a filter entry is placed in the ARP
table to prevent ARP flooding
 ARP entry is found, but the PSID from the packet does not match the
entry; Drop the packet and send a downstream ARP request but do not
create a filter entry
 ARP is found and the source IP and PSID match so forward the packet
 Module 4, Page 73

Host Authorization ARP Operation

 All ARP packets from a CPE are verified against the host
authorization table
 The authorization process is as follows:
 If source IP address is in an excluded range and it is not in the host
authorization table skip the authorization process and continue to
process the ARP packet; As a result CPEs in the excluded range will not
have host authorization entries
 Verify the CPE ARP packet is coming from the correct cable modem
using the source HW address and SID
 Verify the source IP and source HW addresses against the host
authorization table
 If no entry exists in the host authorization table perform DLQ
 Module 4, Page 74

DHCP Lease Query Overview

 Allows the BSR to obtain DHCP lease information for CPEs directly
from the DHCP server
 Secure mechanism for getting CPE lease information when it is not in
the host authorization table
 Host authorization must be enabled for DLQ to work
 Similar to host authorization it is implemented on a per CMTS basis
 Module 4, Page 75

DHCP Lease Query Features

 Implements a new DHCP message type between the relay

agent and the DHCP server
 CMTS maintains a new “unauthorized” table that keeps track of
pending queries
 Resolved queries are inserted into the host authorization table
 Module 4, Page 76

DHCP Lease Query Operation

 When processing an ARP packet and a host auth entry does

not exist:
 Send a DLQ packet to the server
 Add entry to unauthorized table
 Wait for response
 Receive DHCP active packet and add the CPE to the host auth
table
 Module 4, Page 77

Useful CLI Commands

 CMTS interface config mode:

host authorization on
dhcpleasequery authorization on
host authorization <cm mac> <cpe | cpr> <cpe mac> <cpe ip>
 Global config mode:
cable host authorization range <start ip> <end ip>
 Enable mode:
show host authorization [slot num | summary]
show host authorization <cpe> <static | leased>
show host unauthorized cpe
show cable modem <mac> <cpe | host>
show cable host <mac | ip>
 Module 4, Page 78

Registration

Tuning

Ranging

Connection

Configuration

 The modem only comes online after it has

Registration registered with the CMTS
 Reports that all configuration parameters
received and applied
Maintenance
 Module 4, Page 79

Registration (cont.)

 CM generates a Registration Request (REG-REQ)

 Includes configuration parameters received from TFTP configuration
file:
 Downstream frequency, Upstream channel ID
 Network access configuration settings
 Class of Service
CMTS
 Modem Capabilities

REG-REQ
REG-REQ

HFC

Cable Modem
 Module 4, Page 80

Registration (cont.)

Tuning
Things the
Ranging CMTS needs
to know about
Connection
CMTS MIC
Configuration

Registration
CM MIC
Filters, e.g.
Maintenance
 Module 4, Page 81

Registration (cont.)

 CMTS
 Checks CM’s MAC address and authentication signature
 Assigns a permanent SID
 Provides bandwidth for CM requested Class of Service
 Modifies forwarding table to allow full user data if the modem requested
Network Access
 Sends REG-RSP to CM CMTS
» CM can pass unencrypted data

REG-RSP
REG-RSP

HFC

Cable Modem
 Module 4, Page 82

Cable Bundling

 Network Cable Subnet Bundling

 Pooling of Network Resources
 Binding of CMTS Modules
» Sharing of I.P. address
• Saving of costly I.P. addresses
 Increases Manageability
» Saves from having to individually configure CMTS Modules
 Forwarding Table grows exponentially
» Need to
• Increase ARP age out timer
• Refrain from clearing ARP-Cache
 Module 4, Page 83

Cable Bundling Concept

 Master/slave Relationship.

Master CMTS
Slave CMTS
Slave CMTS
.............
.............

 Referenced by Master CMTS-id

 Configurable from local Cable Interface
 Module 4, Page 84

Configuring Cable Bundling

 Master CMTS
cable bundle <bundle-id> [master]

MOT> en
MOT# config
MOT(config)# int cable 3/0
MOT(config-if)# ip address 192.168.69.1 255.255.255.0
MOT(config-if)# cable bundle 100 master

 Slave CMTS:
cable bundle <bundle-id>
MOT> en
MOT# config
MOT(config)# int cable 11/0
MOT(config-if)# cable bundle 100
 Module 4, Page 85

Virtual Cable Bundling

 Configured same way as physical cable bundling

 Cable bundle master is set to Loopback Interface
» Will never go down as long as chassis is up and running

MOT> en
MOT# config
MOT(config)# int loopback 1
MOT(config-if)# ip address 192.168.69.1 255.255.255.0
MOT(config-if)# cable bundle 100 master
 Module 4, Page 86

Checking Cable Bundling

 Check running-configuration
 Master

MOT# sh run
interface cable 3/0
ip address 172.16.110.1 255.255.255.0
ip address 10.10.39.1 255.255.255.0 secondary
ip helper-address 10.20.40.12
no shutdown
cable bundle 100 master
no cable downstream 0 shutdown
cable upstream 0 map-interval 2000
cable upstream 0 physical-delay 600
no cable upstream 0 shutdown
no cable upstream 1 shutdown
no cable upstream 2 shutdown
no cable upstream 3 shutdown
ip dhcp relay information option
…
 Module 4, Page 87

Checking Cable Bundling (cont.)

 Check running-configuration
 Slave

MOT# sh run
interface cable 12/0
no shutdown
cable bundle 100
no cable downstream 0 shutdown
no cable upstream 0 shutdown
no cable upstream 1 shutdown
cable upstream 2 shutdown
cable upstream 3 shutdown
ip dhcp relay information option
…
 Module 4, Page 88

Checking Cable Bundling (cont.)

 Check ARP Table

show arp
 Check Forwarding Tables
 All
show ip forwarding
» For a specific bundle
show cable bundle <bundle-id> forwarding-table
 Module 4, Page 89

Baseline Privacy Interface (BPI)

 Optionally follows modem registration

 Provides user data privacy by encrypting traffic flows, upstream and
downstream
 Provides cable operators basic protection from theft of service
 Mechanisms for:
 authentication: CM to CMTS and CMTS to CM
 key distribution: traffic keys and lifetimes
 data encryption applied to Sid's
 56 bit DES Encryption
 Module 4, Page 90

Baseline Privacy Plus (BPI+)

Interface
 Provides stronger crypto mechanisms
 Support of future upgrade of crypto capabilities
 Strong authentication
 Dynamic security associations
 Module 4, Page 91

BPI/BPI+ Service Goals

 Encrypt the data/voice between the CMTS and the MTA/CM.

 Goals are
» Privacy
• From CM/MTA to CMTS only
» Protection from Theft of Service

BPI/BPI+

CMTS
MTA CM HFC ER
 Module 4, Page 92

BPI Security Association

 If CM is configured for Baseline Privacy in the modem TFTP

configuration file:
 CM sends Authorization Request
» Public key, MAC address, and SID’s
 CMTS responds with an Authorization Response
» Authorization Key (encrypted KEK)
CMTS
» Key Sequence number and Lifetimes
» List of SID’s
• For each requested Class of Service

Auth-REQ
REG-REQ

HFC

Cable Modem Auth-RSP

 Module 4, Page 93

BPI Security Association (cont.)

 CM requests Key Request for each SID

 CMTS responds with DES encrypted TEK for each SID
 CM can now pass encrypted data

CMTS

KEY-REQ
REG-RSP

HFC

Cable Modem TEK

 Module 4, Page 94

BPI/BPI+ Divergence

 DOCSIS 1.0 (BPI) does not have a secure mechanism to

authenticate the CM
 DOCSIS 1.1 (BPI+) adds strong authentication of the CM through
the use of X.509 digital certificates
 Additional service goal of preventing large-scale theft of service
 Each CM issued a unique digital certificate that is verified through the
DOCSIS root certificate authority
 Module 4, Page 95

DOCSIS Trust Hierarchy

 Digital Certificates only useful if trustworthy

 Assigning of digital certificates must be secure proccess
 Module 4, Page 96

BPI+ Security Association

 If CM is configured for Baseline Privacy in the

modem TFTP configuration file:
 CM sends Authorization Request
 CM-ID, CM-Certificate, Security-Capability,
Primary SAID
 CMTS responds with an Authorization Response
» Auth-key, Key-Lifetime, Key- CMTS
Sequence_Number, one or more SA-
Descriptors

Auth-REQ
REG-REQ

HFC

Cable Modem Auth-RSP

 Module 4, Page 97

BPI+ Security Association (cont.)

 CM requests Key Request for each SID

 CMTS responds with DES encrypted TEK for each SID
 CM can now pass encrypted data

CMTS

KEY-REQ
REG-RSP

HFC

Cable Modem TEK

 Module 4, Page 98

Dynamic Security Associations

 Useful for encrypting traffic flows that are dynamic or temporal

 Multicast Traffic
 SA-MAP mechanism allows CM to learn of encrypted traffic flows
and it’s security association
 Currently applied to multicast downstream flow
 Interoperates with DOCSIS 1.1. IGMP management mechanism which
triggers the establishment of dynamic SAs
 Module 4, Page 99

IGMP/SA-MAP Example

CPE CM CMTS
IGMP MR (Join) IGMP MR (Join)
Set Multicast
MAC Filter SA-MAP Request
Determine
SA-MAP Reply SAID

Start TEK Key Req/Reply

FSM
Encrypted
Multicast Data Decrypt Multicast Data Encrypt Multicast Data
Multicast Multicast
 Module 4, Page 100

Periodic Maintenance

Tuning
 Periodic ranging
 Periodic loop delay, power, equalization
 At least every 30 seconds
Ranging

Connection CMTS

Configuration
RNG-REQ
Registration
HFC

Maintenance
Cable Modem RNG-RSP
 Module 4, Page 101

Resetting Cable Modems

 Resetting cable modems

 From the Privileged EXEC mode
clear cable modem [<mac> | <i.p. address> reset] [all reset]

MOT> en
MOT# sh cable modem
cm->mac: 0030.ebff.033
Interface Upstream Prim Connect Timing Rec Ip Address Mac Address
IfIndex Sid State Offset Power
Cable 0/0 4 1 online(pk) 1239 109 10.200.220.2 0030.ebff.f03
Total cable modems reg: 2
Total cable modems other state: 0
MOT#
MOT# clear cable modem 0030.ebff.f03 reset
MOT#